b'Memorandum from the Office of the Inspector General\n\n\n\nFebruary 11, 2009\n\nE. Wayne Robertson, SP 5A-C\n\nREQUEST FOR FINAL ACTION \xe2\x80\x93 AUDIT 2008-11714 \xe2\x80\x93 DISPOSAL OF SURPLUS\nCOMPUTER EQUIPMENT\n\n\n\nAttached is the subject final report for your review and final action. [Redacted] Please\nnotify us when final action is complete.\n\nIf you have any questions, please contact Curtis Phillips, Project Manager, at\n(865) 633-7359 or Phyllis R. Bryan, Director, Information Technology Audits, at\n(865) 633-7332. We appreciate the courtesy and cooperation received from your staff\nduring the audit.\n\n\n\n\nRobert E. Martin\nAssistant Inspector General\n (Audits and Inspections)\nET 3C-K\n\nCDP:JP\nAttachment\ncc (Attachment):\n      Steven A. Anderson, SP 5A-C                John E. Long Jr., WT 7B-K\n      William H. Bonham, WT 3A-K                 Charles H. McFall Jr., SP 2D-C\n      Samuel S. Boozer, MP 3B-C                  Richard W. Moore, ET 4C-K\n      Terrell M. Burkhart, WT 3A-K               Gabrielle A. Ratliff, WT 5B-K\n      Frank A. Foster, OCP 2C-NST                Emily J. Reynolds, OCP 1L-NST\n      Peyton T. Hairston Jr., WT 7B-K            James W. Sample, SP 5A-C\n      David M. Harrison, SP 3K-C                 Joyce L. Shaffer, WT 4D-K\n      Tom D. Kilgore, WT 7B-K                    Michael T. Tallent, MP 3C-C\n      Ralph Edward King, WT 5A-K                 Robert B. Wells, WT 4B-K\n      Melissa A. Livesey, WT 5B-K                OIG File No. 2008-11714\n\x0cDisposal of Surplus Computer Equipment\n\n\n          Audit 2008-11714\n            February 11,\n                     11 2009\n\x0cSynopsis\n  We found:\n  \xc2\x8b   TVA\'s process for the disposal of surplus computer equipment does not\n      adequately protect TVA resources or track the disposition of surplus\n      equipment. Specifically, (1) the equipment inventory in [redacted] was not\n      correctly\n              y updated\n                 p       when equipment\n                                 q p       was removed from service;; (2)\n                                                                       ( ) equipment\n                                                                            q p\n      transferred from Information Services (IS) to Technology Initiative (TI) was\n      not tracked to prevent unnecessary storage, loss, or theft; (3) TI did not\n      maintain an inventory of equipment received for disposal or reconcile\n      equipment received with equipment surplused by IS IS, and (4) the disposition\n      records maintained by TI do not account for the disposition of 6,631, or\n      63.9 percent, of the computers surplused by IS.\n  \xc2\x8b   TVA\'s policies, procedures, and practices for cleaning hard drives of surplus\n      computer\n             t equipment\n                     i     t are generally\n                                       ll adequate.\n                                            d    t S Specifically,\n                                                          ifi ll ththe h\n                                                                       hard\n                                                                          dd drives\n                                                                               i\n      examined during this review had been cleaned; however, documentation for\n      redeployments, donations, and sales did not contain a certification that hard\n      drives had been wiped.\n  .\n\n\n\n                                       2\n\x0cSynopsis (cont.)\n  \xc2\x8b   TVA\'s handling of surplus computer equipment is not consistent with\n      existing environmental regulations in that used or broken Cathode Ray\n      Tube (CRT) monitors are not always packaged to prevent exposure to the\n      environment or labeled as containing lead during storage or shipment.\n  \xc2\x8b   The current surplus\n                     p    equipment\n                           q p      p\n                                    process could be improved\n                                                       p      by:\n                                                               y\n       \xe2\x80\x93 Coordinating donations with Corporate Contributions.\n       \xe2\x80\x93 Implementing agreements limiting TVA\'s liability when disposing of\n               p y equipment.\n         third-party q p\n       \xe2\x80\x93 Reviewing the current process for recycling equipment to reduce the\n         risk of an accidental disclosure of information.\n      NOTE: Effective November 24,, 2008,, the responsibility\n                                                     p       y for surplus\n                                                                      p\n      equipment was transferred from Procurement to IS. The findings in this\n      report relate to the process in place before that change, and the\n      recommendations should be considered as the reorganization is carried\n      out.\n      out\n\n\n                                     3\n\x0cBackground\n \xc2\x8b   This audit was initiated as a follow-up to an Office of the Inspector General\n     report on Lost and Stolen Computers\n                                Computers.\n \xc2\x8b   Surplus computer equipment includes all electronic items such as personal\n     computers, monitors, printers, laptops, servers, routers, switches, cell\n     phones,, p\n     p        personal digital\n                         g     assistants,, LCD p\n                                                projectors,\n                                                   j      , and some lab\n     equipment.\n \xc2\x8b   IS is responsible for managing computer equipment and maintaining an\n     inventory.\n \xc2\x8b   IS, with input from TVA Business Units, determines when to retire\n     equipment.\n \xc2\x8b   Procurement\'s TI handled the disposition of surplus computer equipment.\n     Eff ti N\n     Effective November\n                    b 2424, 2008\n                            2008, th\n                                  the TI group ttransferred\n                                                     f    d tto IS IInfrastructure\n                                                                      f t t\n     Operations.\n\n\n\n\n                                       4\n\x0cSurplus and Disposal Process\n  Identified for                   Equipment\n                                     q p     Shipped\n                                                pp                  TI Processes\n  Surplus                          to TI                            Equipment\n     \xe2\x80\xa2 Equipment inventory           \xe2\x80\xa2 The process for storing        \xe2\x80\xa2 TI sorts equipment and\n       maintained in [redacted].       and shipping surplus             determines best method\n     \xe2\x80\xa2 Inventory statuses              computer varies by site.         for disposal.\n       include Production,             \xe2\x80\xa2 Corporate locations\xe2\x80\x94         \xe2\x80\xa2 One of four methods is\n       Removed Retired\n       Removed,     Retired,             Facilities Management          used to dispose of\n       Lost/No Discovery,                stores and ships the           equipment:\n       Write-Off, and Stock.             equipment.                     \xe2\x80\xa2 Redeploy to TVA\n     \xe2\x80\xa2 IS and Business Units           \xe2\x80\xa2 Nuclear plants\xe2\x80\x94                  organizations.\n       determine when                    Facility staff store and       \xe2\x80\xa2 Sell equipment.\n       equipment is surplus              move the equipment.            \xe2\x80\xa2 Donate to schools or\n       and should be shipped           \xe2\x80\xa2 Fossil plants\xe2\x80\x94                   charities.\n       to TI for disposal.\n                 disposal                Laborers handle the            \xe2\x80\xa2 Recycle\n                                                                          R      l under\n                                                                                      d a\n     \xe2\x80\xa2 [Redacted] updated to             process. In most                 Memorandum of\n       reflect equipment                 cases, the equipment             Understanding with\n       removed from                      is just stored in the            the Department of\n       production.                       dock area until there            Energy (DOE), which\n     \xe2\x80\xa2 Hard drives wiped by IS           is a sufficient quantity         has a contract with\n       personnel.                        for shipment.                    Tennessee Oak Ridge\n     \xe2\x80\xa2 Equipment turned over         \xe2\x80\xa2 Shipments are to comply            National Recycle\n       to Site or Facility             with environmental rules           Center (TORNRC).\n       Management for                  and regulations.\n       shipment to TI.\n     \xe2\x80\xa2 [Redacted] updated to\n       reflect equipment was\n       "Retired" after it is\n       disposed\n           p      of by\n                      y TI.\n\n\n\n\n                                         5\n\x0cObjectives, Scope, and Methodology\n  \xc2\x8b   Objectives\n      \xe2\x80\x93 The purpose was to determine if policies, procedures, and practices for\n        handling surplus computer equipment:\n        \xc2\x8b   Adequately protected TVA resources.\n        \xc2\x8b   Prevented the inadvertent disclosure of TVA information.\n        \xc2\x8b   Complied with existing environmental regulations.\n  \xc2\x8b   Scope\n      \xe2\x80\x93 Selected the period of October 1, 2007, to March 31, 2008, for the\n        review.\n  \xc2\x8b   Methodology\n      \xe2\x80\x93 Conducted interviews with TVA personnel involved with or responsible\n        for handling surplus equipment to identify the policies, processes, and\n        practices followed by IS and TI.\n\n\n\n                                      6\n\x0cObjectives, Scope, and Methodology\n(cont.)\n(     )\n  \xc2\x8b   Methodology (cont.)\n      \xe2\x80\x93 Selected a judgmental sample of 185 items of equipment disposed of by\n        TI to determine whether the status was correctly recorded in [redacted].\n      \xe2\x80\x93 Using the same judgmental sample, determined whether TI followed\n        their procedures for disposing of the equipment\n                                              equipment.\n      \xe2\x80\x93 Determined whether sales by TI for the period October 1, 2007, to\n        March 31, 2008, were correctly recorded and the receipts correctly\n        deposited\n          p       in a TVA account.\n      \xe2\x80\x93 Reviewed the transfers from IS to TI of the 185 judgmentally sampled\n        items.\n      \xe2\x80\x93 Forensically\n                   y examined a jjudgmental\n                                      g       sample\n                                                 p of nine hard drives\n        transferred from IS to TI to determine whether they had been cleaned of\n        TVA information by IS.\n      \xe2\x80\x93 Conducted interviews with TVA personnel responsible for environmental\n        compliance.\n            li\n\n\n                                     7\n\x0cObjectives, Scope, and Methodology\n(cont.)\n(     )\n  \xc2\x8b   Methodology (cont.)\n      \xe2\x80\x93 Fieldwork was performed between April 16, 2008, and\n        September 24, 2008.\n      \xe2\x80\x93 We conducted this performance audit in accordance with generally\n        accepted government auditing standards\n                                        standards. Those standards require that\n        we plan and perform the audit to obtain sufficient, appropriate evidence\n        to provide a reasonable basis for our findings and conclusions based on\n        our audit objectives. We believe that the evidence obtained provides a\n        reasonable\n                 bl basis\n                    b i ffor our fi\n                                 findings\n                                    di    and\n                                            d conclusions\n                                                    l i     b\n                                                            based\n                                                                d on our audit\n                                                                            dit\n        objectives.\n\n\n\n\n                                      8\n\x0cFinding 1 \xe2\x80\x93 Process Improvements\nN d d\nNeeded\n  \xc2\x8b   Information in [Redacted] Does Not Correctly Reflect Status\n      \xe2\x80\x93 The information in [redacted] does not correctly reflect the inventory\n        status of computer equipment after it is taken out of service as surplus\n        or disposed of by TI.\n         \xc2\x8b   Only 11 percent,\n                      percent or 21 items in our sample,\n                                                 sample was initially classified as\n             "Removed" when taken out of service as required by policy. The\n             majority 89 items, or 48 percent, were initially classified as\n             "Lost/Write-Off/No Discovery" when taken out of service.\n         \xc2\x8b   Only 18 percent, or 33 items in our sample, had been classified as\n             "Retired" or in "Production" (items redeployed by TI) as required by IS\n             policy.\n         \xc2\x8b   IS d\n                does nott ttrack\n                               k th\n                                 the lif\n                                     life cycle\n                                             l off monitors\n                                                      it    iin [[redacted].\n                                                                    d t d] Our\n                                                                             O sample\n                                                                                   l\n             included 24 monitors.\n\n\n\n\n                                        9\n\x0cFinding 1 \xe2\x80\x93 Process Improvements\nNeeded\nN d d ((cont.))\n   \xe2\x80\x93 Transfer of Equipment From IS to TI Not Tracked\n     \xc2\x8b   The process for\n         Th            f transferring\n                          t    f i surplus l computer t equipment\n                                                              i    t from\n                                                                     f    IS to\n                                                                             t\n         TI lacks adequate guidelines and controls to ensure appropriate\n         disposal and prevent loss, theft, or destruction of equipment and the\n         information it contains. Currently, equipment transferred is being:\n         \xe2\x80\x93 Stripped of usable parts.\n         \xe2\x80\x93 Damaged, lost, or stolen in transfer.\n         \xe2\x80\x93 Stored for years before being transferred to TI.\n                                                        TI\n   \xe2\x80\x93 No Inventory Records of Equipment Received for Disposition\n     \xc2\x8b   TI does not document or inventory equipment received for disposal.\n         TI records the disposition of equipment\n                                        equipment, however\n                                                    however, there is no\n         reconciliation of equipment received with equipment surplused by\n         IS. The absence of an inventory or reconciliation elevates TVA\'s\n         risk for the inadvertent disclosure of information.\n\n\n\n                                   10\n\x0cFinding 1 \xe2\x80\x93 Process Improvements\nNeeded\nN d d ((cont.))\n  \xc2\x8b   The records maintained by TI do not reflect the disposition of 63.9 percent\n      of the computers surplused by IS during the period January 2007 to\n      October 2008. During this period, [redacted] shows IS removed or retired\n      10,378 computers from service; however, the disposition records\n      maintained by TI show they disposed of only 3,747, or 36.1 percent, of the\n      computers\n             t  surplused.\n                     l   d\n\n\n\n\n                                     11\n\x0cFinding 2 \xe2\x80\x93 Protection of Information\n  \xc2\x8b   Generally, the policies, procedures, and practices for cleaning hard drives\n      of surplus equipment are adequate to protect TVA information; however\n                                                                       however,\n      improvement is needed in the following area:\n      \xe2\x80\x93 The documentation for redeployments, donations, and sales did not\n        contain a certification that hard drives had been wiped.\n                                                            p    TI\'s effort to\n        wipe hard drives is a secondary control as IS performs the primary\n        control by wiping hard drives when they are retired. However, if TI is\n        going to perform the control, it should be documented by the technician\n        certifying the drive was wiped and the date the function was performed\n                                                                      performed.\n\n\n\n\n                                      12\n\x0cFinding 3 \xe2\x80\x93 Environmental\nC\nCompliance\n      li\n  \xc2\x8b   TVA\'s handling of surplus computer equipment is not consistent with\n      existing environmental regulations\n                              regulations. Computer equipment\n                                                      equipment, including used or\n      broken CRTs in storage or transit for recycling, is not regulated as\n      hazardous waste. However, under 40 CFR 261.39, used or broken CRTs\n      in storage or shipment must be packaged in enclosed containers to prevent\n      release\n        l      tto the\n                   th environment.\n                         i       t Th\n                                    They mustt also\n                                                l b be llabeled\n                                                          b l d or marked\n                                                                       k d\n      indicating they contain lead. We found:\n      \xe2\x80\x93 CRTs are not always packaged in enclosed containers to prevent\n        release to the environment.\n                       environment\n      \xe2\x80\x93 They are not labeled as containing lead while in shipment or storage.\n        (Slide 14 is a photo of a typical shipment.)\n\n\n\n\n                                     13\n\x0cPhotograph of Equipment in Transit\n\n\n\n\n                14\n\x0cFinding 4 \xe2\x80\x93 Additional Process\nImprovements\nImprovements\n  \xc2\x8b   Improve Coordination of Donations With Corporate Contributions\n      \xe2\x80\x93   TI did nott coordinate\n                          di t computer\n                                      t equipment\n                                             i     td\n                                                    donations\n                                                          ti  with\n                                                                ith C\n                                                                    Corporate\n                                                                            t C\n                                                                              Contributions.\n                                                                                  t ib ti\n          Business Practice 21 requires all TVA donations be processed or approved by\n          Corporate Contributions to ensure they align with TVA\'s overall business objectives.\n  \xc2\x8b   Implement an Agreement When Handling Third-Party Equipment\n      \xe2\x80\x93   TVA disposes of equipment for certain third parties including distributors and the credit\n          union. However, there are no agreements limiting TVA\'s liability if sensitive information\n          is inadvertently disclosed or the equipment is not recycled correctly.\n  \xc2\x8b   Review Process for Recycling\n                            y    g Equipment\n                                    q p      to Reduce Risk of Accidental\n      Disclosure\n      \xe2\x80\x93   Equipment considered scrap is disposed of through a Memorandum of Understanding\n          with DOE, Oak Ridge, Tennessee. DOE takes ownership of the equipment, and it is\n          processed for recycling\n          p                  y    g under their contract with TORNRC. TVA ppersonnel believed the\n          equipment shipped to TORNRC was being shredded. However, we found some\n          equipment shipped to TORNRC as scrap was not shredded but shipped to other\n          locations for disposition which includes resale on eBay. According to TORNRC\n          representatives, they wipe the hard drives for the computer equipment resold. However,\n          we were not able to confirm TORNRC wiped the hard drives\n                                                                 drives.\n\n\n\n                                             15\n\x0cRecommendations\n IS should:\n \xc2\x8b   IImprove the\n               th process for\n                          f recording\n                                 di the\n                                      th inventory\n                                         i    t    status\n                                                    t t off equipment\n                                                               i    t in\n                                                                      i\n      [redacted].\n \xc2\x8b   Update the current surplus equipment procedures to (1) reflect the new\n     organizational structure and (2) include instructions for properly packing\n     and labeling CRTs consistent with existing requirements.\n \xc2\x8b   Establish an inventory system for TI that records all items received and\n     their disposition.\n \xc2\x8b   Reconcile equipment surplused by IS with equipment disposed of by TI.\n \xc2\x8b   Require technicians to (1) certify hard drives on resold, donated, or\n     redistributed equipment have been wiped and ((2)) complete the\n     documentation required by the current procedures.\n\n\n\n\n                                     16\n\x0cRecommendations (cont.)\n \xc2\x8b   Implement a process for coordinating with Corporate Contributions when\n     equipment is donated as required by Business Practice 21 Contributions/\n     Sponsorships.\n \xc2\x8b   Implement agreements with third parties to limit TVA\'s liability if sensitive\n     information is inadvertently\n                                y disclosed or the equipment\n                                                    q p      is not recycled\n                                                                          y\n     correctly.\n \xc2\x8b   Review the process for recycling equipment to reduce the risk of accidental\n     disclosure.\n\n\n\n\n                                      17\n\x0cManagement Response to Draft\n   TVA Management\'s Comments \xe2\x80\x93 The Vice President, IS, in general\n     agreed d with\n                ith our ffacts,\n                            t conclusions,\n                                   l i      andd recommendations\n                                                           d ti    andd provided\n                                                                            id d\n     proposed actions to implement our recommendations. IS plans to\n     (1) create a new department charged with the management of TVA\'s IT\n     assets including receiving, inventory, and the surplus process;\n     (2) evaluate additional technology such as radio-frequency\n     identification (RFID), [redacted], and [redacted] to aid in the\n     management of IT equipment; and (3) provide a common set of work\n     instructions,, procedures,\n                    p           , and a single\n                                           g system\n                                                y     for recording\n                                                                  g inventory\n                                                                            y\n     information for use in the management of IT assets. (See the Appendix\n     for the entire response.) Target for completion of actions is May 30,\n     2009.\n   A dit \' R\n   Auditor\'s Response \xe2\x80\x93 We\n                        W concur with\n                                  ith management\'s\n                                               t\' proposed\n                                                         d actions.\n                                                             ti\n\n\n\n\n                                  18\n\x0cAPPENDIX\nPage 1 of 2\n\x0c             APPENDIX\n             Page 2 of 2\n\n\n\n\n[REDACTED]\n\x0c'